hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Wed, 02 Jul 2014 16:57:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050319#comment-14050319
] 

Larry McCay commented on HADOOP-10769:
--------------------------------------

I fully understand your intent here but you seem to be missing the fact that the provider
API is a client side abstraction to an arbitrary key provider or providers. 

bq. If you deploy an external provider via KMS you get then additional benefits out of the
box: scalability, caching, isolated DEK management.

All of the benefits of the KMS are wonderful and can be easily added to simple providers by
plugging them into the KMS server. However, more sophisticated key management solutions will
provide these themselves and the key provider interface on the client side shouldn't impose
the need for a method that is extraneous to the given provider. The need for getting a DelegationToken
is a reasonable requirement for a specific provider - in this case the KMSClientKeyProvider
but it isn't something that needs to be done for all implementations.

bq. Also, note that the getDelegationToken() it does not handle authentication, just getting
a delegation token. Authentication is assumed to be done via UGI mechanisms.

Perhaps I am missing something - my understanding is that you need getDelegationToken so that
you can get it from the KMS to allow for "authentication" to the KMS later from services/tasks
that will get the token from the credentials file for the job submission in order to request
a key from the KMS. Is this incorrect?

My proposal is to allow for this very capability through a more generic contract with the
key providers.


> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message